__________________________________________________________________
Squid Proxy Cache Security Update Advisory SQUID-2015:2
__________________________________________________________________
Advisory ID: SQUID-2015:2
Date: July 06, 2015
Summary: Improper Protection of Alternate Path
Affected versions: Squid 0.x -> 3.5.5
Fixed in version: Squid 3.5.6
__________________________________________________________________
http://www.squid-cache.org/Advisories/SQUID-2015_2.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5400
__________________________________________________________________
Problem Description:
Squid configured with cache_peer and operating on explicit proxy
traffic does not correctly handle CONNECT method peer responses.
__________________________________________________________________
Severity:
The bug is important because it allows remote clients to bypass
security in an explicit gateway proxy.
However, the bug is exploitable only if you have configured
cache_peer to receive CONNECT requests.
__________________________________________________________________
Updated Packages:
This bug is fixed by Squid version 3.5.6.
In addition, patches addressing this problem for stable releases
can be found in our patch archives:
Squid 3.1:
http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10494.patch
Squid 3.4:
http://www.squid-cache.org/Versions/v3/3.4/changesets/squid-3.4-13225.patch
Squid 3.5:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13856.patch
If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
__________________________________________________________________
Determining if your version is vulnerable:
All Squid versions with cache_peer omitted from squid.conf are
not vulnerable to the problem.
All Squid versions with squid.conf containing
"nonhierarchical_direct on" are not vulnerable to the problem.
All Squid-3.1 and later with nonhierarchical_direct omitted from
squid.conf are not vulnerable to the problem.
All other unpatched Squid configured to use a cache_peer without
the "originserver" option are vulnerable to the problem.
__________________________________________________________________
Workaround:
For Squid-3.0 and older ensure squid.conf contains
"nonhierarchical_direct on".
For Squid-3.1 and newer remove nonhierarchical_direct from
squid.conf.
__________________________________________________________________
Contact details for the Squid project:
For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.
If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.
For reporting of non-security bugs in the latest release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.
For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
__________________________________________________________________
Credits:
The vulnerability was reported and fixed by Alex Rousskov, The
Measurement Factory.
Squid-3.1 backport by Raphaël Hertzog, Debian Project.
__________________________________________________________________
Revision history:
2015-06-16 16:54 GMT Initial Report and Patches Released
2015-05-03 15:37 GMT Packages Released
2015-07-17 14:09 GMT CVE Assigment
2015-07-30 15:57 GMT Patch for 3.1 added
__________________________________________________________________
END